The present invention relates to the protection of a computer and in particular to the protection of confidential data stored in memory.
FIG. 1 very schematically shows a conventional computer architecture. It includes a central processing unit (CPU) 10 connected to a terminal 11 comprising a screen and a keyboard; to volatile central random access memory (RAM) 12; to a non-volatile read only memory (ROM) 13; to a mass storage device 14, such as hard disk or a floppy disk; to groups of peripheric devices P1 and P2, such as printers, other disks, etc.; and to a volatile battery powered CMOS memory 16 where configuration data defined by the operator are stored. The configuration data comprise information for adapting and adjusting, or "configure", the computer as a function of initial options desired by the operator and, especially, so that the computer can correctly use its peripheric devices, such as the screen, the keyboard, the hard disk, etc.
Nowadays, certain computers are inoperable by a person now knowing the password at power-on of the computer. Indeed, at power-on and before the computer can be used, a password is asked. However, such a computer is vulnerable when it is on and the password has been entered.
More sophisticated computers, such as models 286N and 386N manufactured by the firm Compaq, offer security functions. Among the configuration data there are a password and access prohibitions to a group of peripheric devices, for example P1, wherein the prohibitions cannot be raised, theoretically, unless the password is known. For example, access can be prohibited to a hard disk of a computer which stays on unwatched in order to prevent an unauthorized person from accessing the data stored on the disk.
To enhance the security, for reasons which will be discussed later, the password is stored in an area of the CMOS memory 16, the access of which can be irreversibly cut while the computer is on. The access to the other configuration data must not be cut because the operating system of the computer must be able to use them. The operation of such a computer is as follows.
At power-on of the computer (cold boot), the computer must perform a certain number of operations before the operator can use it. These operations are generally the following.
a) A Power-On Self Test program (POST), which is permanently stored in ROM 13, is executed by the CPU 10. This program reads the configuration data in CMOS memory 16, these data including the password and the access prohibitions, then asks the operator to provide a password and continues its execution if the password is good.
b) the POST configures the computer, adjusts the peripheric devices and cuts the accesses to the prohibited peripheric devices, for example group P1.
c) During the execution of the POST, the operator can choose to modify the configuration. This choice is generally achieved by hitting a key before the end of a predetermined time interval. In this case, the POST executes a configuration program, usually called SETUP, stored in ROM. As program SETUP is executed, the operator can see on the screen the actual configuration stored in the CMOS memory, and propose modifications. The configuration is then modified in the CMOS memory. To validate the new configuration, operation b) must be resumed, which can only be done, in general, by rebooting the computer.
d) Before terminating, the POST cuts the access to the password stored in the CMOS memory and loads into the central memory 12 an operating system stored on the mass storage device 14. The operating system is a program which uses the configuration data stored in the CMOS memory, manages the computer and allows the operator to exploit the computer in a simple way.
When the mass storage device 14 is a hard disk containing the operating system permanently, in practice, the operator also has the possibility to use an operating system stored on a floppy disk. Therefore, a floppy disk drive is provided in which the operator inserts the floppy disk and, when the computer is rebooted, the POST will first attempt to load the operating system from this floppy disk. It will be considered hereafter that the computers have a hard disk as mass storage device 14 to which a floppy disk can be substituted and wherein the loading of the operating system is first attempted from a floppy disk.
To reboot the computer it is also possible to do a warm boot, i.e. a reset of the computer while its power is still on. It unprotected computers, this has the same effect as a cold boot, except that it is faster.
A drawback of known computers is that the CMOS memory 16 is easily accessed. The access to this memory is standard so that it is compatible with all available operating systems. Thus, a hacker having some technical knowledge, knows how to modify the accessible content of the CMOS memory by using, for example, a debugger program, generally available with the operating system, which allows data to be written and read in memory areas, especially in the CMOS memory. The hacker is also able to reboot on a floppy disk containing a program which is executed automatically and can, for example, modify the contents of the CMOS memory in a short time.
In the above mentioned 286N and 386N computer models, during a warm boot, access to the password in the CMOS memory is not reestablished and the password cannot be used by the POST. During such a boot, the POST must still be executed to configure the computer. Thus, since the POST does not then block the use of the computer by a password, a hacker can do a warm boot on a floppy disk in a disk drive to which the access was not cut. Although the hacker cannot then access the password, he can cancel the access prohibitions and modify the configuration.
A floppy disk boot can be prohibited, but this is usually done by software which a competent hacker can bypass.
Moreover, erroneous instructions in a program can accidentally modify the contents of the CMOS memory.
The CMOS memory 16 is usually a battery powered volatile memory for various technical reasons; especially, this memory is associated to a real time clock. Thus, at the end of the life of the battery (about 5 years) the content of the CMOS memory will vanish.